diff --git a/.env.development b/.env.development
index 100f58d61e..880382b80e 100644
--- a/.env.development
+++ b/.env.development
@@ -28,3 +28,6 @@ RAILS_DB_HOST=postgres
 RAILS_DB_PORT=5432
 RAILS_DB_NAME=manifold_production
 RAILS_REDIS_URL=redis://redis:6379
+
+CAS_CLIENT_ID=AAABBBCCCDDDEEEFFF
+CAS_CLIENT_SECRET=AAABBBCCCDDDEEEFFF
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index bd2e759132..c38235928d 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,5 +18,10 @@ on:
 
 jobs:
   deploy:
-    uses: scientist-softserv/actions/.github/workflows/deploy.yaml@v0.0.22
-    secrets: inherit
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Load secrets into OAuth config"
+        run: envsubst < api/config/oauth.tmpl.yml > api/config/oauth.yml;
+      - name: "Do deploy"
+        uses: scientist-softserv/actions/.github/workflows/deploy.yaml@v0.0.22
+        secrets: inherit
diff --git a/Dockerfile b/Dockerfile
index c70f18c33f..c81ddddfa0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@
 FROM ruby:2.7.8 as manifold-api
 RUN apt-get -o Acquire::Check-Valid-Until=false update
 RUN apt-get install -y libicu-dev postgresql-client nano curl software-properties-common ghostscript \
-    vim less
+    vim less gettext
 
 # We need Node and Mammoth for Word text ingestion
 RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
@@ -21,6 +21,7 @@ RUN sed -i '/<policy domain="coder" rights="none" pattern="PDF" \/>/d' \
 COPY api /opt/manifold/api
 WORKDIR /opt/manifold/api
 ENV RAILS_LOG_TO_STDOUT=1
+RUN envsubst < config/oauth.tmpl.yml > config/oauth.yml
 RUN gem install bundler:2.2.19
 RUN bundle install
 COPY bin/start-and-run /opt/manifold/api/start-and-run
diff --git a/api/config/oauth.tmpl.yml b/api/config/oauth.tmpl.yml
new file mode 100644
index 0000000000..6f810bc43f
--- /dev/null
+++ b/api/config/oauth.tmpl.yml
@@ -0,0 +1,28 @@
+oauth:
+  cas:
+    client_id: $CAS_CLIENT_ID
+    client_secret: $CAS_CLIENT_SECRET
+    descriptive_name: Princeton CAS
+    host: fed.princeton.edu
+    protocol: https
+    email_key: 'mail'
+    name_key: 'displayname'
+    nickname_key: 'givenname'
+    uid_key: 'campusid'
+    # WARN: The values below are placeholders
+    endpoints:
+      authorize:
+        uri: '/cas/login'
+        method: 'GET'
+        query:
+          another: 'param'
+      token:
+        uri: '/oauth/token'
+        method: 'POST'
+        query:
+          another: 'param'
+      userinfo:
+        uri: '/api/v1/me'
+        method: 'GET'
+        query:
+          another: 'param'